ICO finds its feet with GDPR fines

Like buses, you wait ages for one, then two come along at once. We’ve been waiting for the ICO to issue fines under GDPR and in the space of a week, they’ve issued two (well, technically notices of intention to fine – the actual fines will follow later):

British Airways

Data of approximately 500,000 customers was affected by a cyber incident in 2018. This saw user traffic being diverted to a fraudulent site. BA’s poor security arrangements allowed the compromise of data including login details, name & address, payment card, booking details. BA cooperated with the ICO’s investigation and has since improved its security.


Data of roughly 339 million guest records was exposed, 30 million residents in the EEA and 7 million in the UK. A variety of personal data was affected when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016 but didn’t undertake sufficient due diligence and could have and should have done more to secure its systems. Marriott also cooperated with the ICO’s investigation and improved its security. 

What next?

Many people – me included – expected the first large fine to come from Germany where they are arguably much keener on protecting personal data. These fines even dwarf the French regulator’s €50m fine on Google.

First, it’s important to note, these fines aren’t final. The ICO has notified them both that it intends to fine them those amounts and has asked for them to make representations. It’s possible that, following those representations, the final amounts will be lower. The BA fine is approximately 0.8% of its parent IAG’s 2018 global turnover of €24.406 billion and the Marriott fine is about 0.6% of their 2018 global turnover of $20.75 billion. Neither of these are maximum fines under GDPR – which would be up to 2% of global turnover* – but certainly, if finalised at these amounts, they are by far the largest fines ever from the ICO. The previous highest fines were against Facebook in October 2018 and Equifax September 2018, both £500,000 which was the maximum permitted under the old law. And we may see higher GDPR fines in the future. (* 4% if it were to involve a failure to comply with basic principles for processing or the data subject’s rights.)

If you haven’t addressed GDPR already, now is a very good time to do so. And if your CFO told you there was no budget to sort out the handling of personal data, you might find that they have just discovered some budget…

Update 12/7/19: adjusted the figures in penultimate para

One comment

  1. […] There’s no doubt the ICO are busy investigating misuses of data under GDPR. But here in the UK we’ve not seen an equivalent of the €50m Google fine in France. That’s maybe why some compare GDPR to Y2K. But the ICO always said they wouldn’t simply massively increase the level of fines under GDPR. They continue to issue fines and are using their other enforcement powers, including prohibiting further processing. Just because they haven’t yet, doesn’t mean they won’t. UPDATE 11/7/19: ICO finds its feet with GDPR fines […]


What's your view? Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.